LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Security page

Recent Features

LWN.net Weekly Edition for September 26, 2013

A perf ABI fix

LWN.net Weekly Edition for September 19, 2013

Asteroid "mining" with Linux and FOSS

The end of the 3.12 merge window

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Prompt-free security for GNOME

By Nathan Willis
August 14, 2013
GUADEC 2013

At GUADEC 2013 in Brno, Czech Republic, Stef Walter presented his recent work to improve the security features of GNOME by removing problematic—and frequently ignored—"security features." The gist of Walter's approach is that interrupting users to force them to make a security decision produces the wrong result most of the time; far better is to try and determine the user's intent for the task at hand, and design the application to work correctly without intervention. This is a fairly abstract notion, but Walter presented three concrete examples of it in action.

The users and the humans

He started off the session by tweaking the standard security developer's notion of "the user." A "user," he said, is someone that security people frequently get annoyed by; users click on the wrong things, they fall for phishing attacks, and make plenty of other mistakes. It is better to think of users in terms of "human beings," because "human beings" are active, creative, and use their computers to do things—although they also get overwhelmed when faced with too much information at once.

This is where security design enters into the picture. Humans' brains filter out extraneous information, on a constant basis, as part of making sense of the world. So developers should not be surprised when those humans tune out or dismiss dialog boxes, for example. This means that "if you force the user to be part of the security system,"—primarily by forcing the user to make security decisions—"you're gonna have a really bad time." He likened the problem to a doctor that gives the patient all of the possible treatment options: the patient will get frustrated and ask "what would you do?" Software developers need to be prepared to make a strong recommendation, rather than presenting all of the choices to the user.

Walter then had a few bits of wisdom to share from this approach to security design. First, he said, the full extent of the humans' involvement in security should be to identify themselves. You can ask them for a password to prove who they are, but after that they should not be interrupted with questions about security policy. Next, it is important to remember that "professional users" are not different in this regard. By "professionals" he seemed to mean developers, system administrators, and others with knowledge of security systems. But just because they have this knowledge does not mean they should be interrupted.

That is because the worst possible time to ask the user to make a risky decision is when they are in the middle of trying to do something else, he said. "You're going to get results that are worse than random chance."

Application to applications

For developers, Walter offered two design maxims. First: Prompts are dubious, he said. If you are refactoring your code and you see a user prompt, regard it with suspicion, asking if you really need to prompt the user for a response. The end goal, he said, should be to get rid of Yes/No prompts.

The second maxim follows from the first: Security prompts are wrong. Or at least they are wrong 99% of the time or more, he said. Sure, you ask for a password, but that is an identification prompt, and passwords are an unfortunate fact of life. But prompts that ask questions about security, like "Do you want to continue?" or "Do you want to ignore this bad certificate?" are wrong. Furthermore, he added, if you then make the user's choice permanent, you add insult to injury.

He gave several examples of this bad design pattern, including the all-too-familiar untrusted-certificate prompt from the web browser, the "this software is signed by an untrusted provider" prompt from a package manager, and an "a new update is available that fixes your problem, please run the following command" prompt from Fedora's automatic bug reporting tool.

The correct approach, he said, is instead to stop interrupting the user, let the user take some action that expresses their intent, and then make a decision based on that intent. In other words, figure out what the user is trying to do, and design the software so that he can express his intent while working.

A positive example in this regard is Android's Intents system, which he called ripe with potential for getting it wrong, but actually gets it right. So, for example, the "file open" Intent could prompt the user with a bad dialog of the form "Application X has requested read/write access to file /foo/bar/baz. Continue? Disallow?" But, instead, it just opens up the file chooser and lets the user select the desired file. Thus the user gets asked to take a clear action, rather than asked a security-policy question.

A second, theoretical example would be the potentially private information in the Exif tags of a photo. If the user starts to upload a photo, the wrong approach would be to interrupt with a dialog asking if the user is aware that there is private information in the Exif tags. The better approach is simply to show the information (e.g., geographic location and a detailed timestamp) with the photo and make it easy to clear out the information with a button click.

The fix is in

Walter then showed off three new pieces of work he is developing to improve just such security-interruption problems. The first is the removal of untrusted-certificate prompts. This garnered a round of applause from the audience, although they were a bit more skeptical of Walter's solution, which is to simply drop the connection.

Dropping the connection is usually the correct behavior on the browser's part, he said, since the certificate problem is either an attack or a server-side misconfiguration. But there is one major class of exception, he added: enterprise certificate authorities (CAs). In these situations, an enterprise deploys an "anchor" certificate for its network which is not known to browsers out of the box. By adding support for managing enterprise CAs, GNOME can handle these situations without bringing back the untrusted certificate prompt.

Walter's solution is p11-kit-trust, which implements a shared "Trust Store" where any crypto library can store certificates, blacklists, credentials, or other information, and they will automatically be accessible to all applications. So far, NSS and GnuTLS support the Trust Store already, with a temporary workaround in place for OpenSSL and Java. Packages are already available for Debian and Fedora. There are command-line tools for administrators to add new certificates to the store, but there are not yet GUI tools or documentation. The same tools, he said, should be used for installing test certificates, personal or self-signed certificates, and other use-cases encountered by "professional" users.

The second new project is a change to how applications store passwords. Right now, gnome-keyring stores all passwords for all applications, but Walters noted that this is really surprising to users, particularly when they learn that any application can request any other application's stored passwords. The user's expectation, he said, is that passwords are "account data" and would be stored with other account information for the application. That is true, he observed, but it has not been done in practice because there is not a reliable way to encrypt all of this per-application storage.

The solution is libsecret, which applications can use to encrypt and store passwords with their other account information. Libsecret uses the Linux kernel keyring to hold a session key that the applications request to use for encrypting their saved passwords. Normally this session key is derived at the start of the session from the user's login password, but other values can also be returned to applications for policy reasons. Returning a blank key, Walter said, means "store your data in the clear," while not returning any value means the application is not permitted to save data.

The third new feature Walter is working on is the solution to a GNOME annoyance, in which the user is prompted at login time for the password, even if they have logged in via another method (such as fingerprint, PIN, or auto-login). The cause of this re-authentication is that GNOME needs the user password to decrypt secret data; the same double-step occurs when a user is prompted once for their password when unlocking an encrypted hard disk, and again when logging in to the session.

Walter's solution is a pluggable authentication module (PAM) called pam_unsuck that, again, relies on the kernel keyring. The kernel keyring will hold the user's password after login so it can be reused. If an account does not use any password to log in, a password will be created for it and saved in hardware-protected storage (where possible). He noted that the decision to use auto-login, fingerprints, or PINs already constitutes the user's conscious choice to use an authentication method less secure than a password. This scheme allows them to make that decision, it just prevents the nuisances of being prompted for a password anyway.

Walter ended the session by imploring developers to "go forth and kill ... prompts." There are many more places where changing the user-interruption paradigm can help GNOME craft a more secure system overall, he said, by putting fewer security decisions in front of the user.

[The author wishes to thank the GNOME Foundation for assistance with travel to GUADEC 2013.]

(Log in to post comments)

Enterprise certificates

Posted Aug 15, 2013 5:58 UTC (Thu) by jhhaller (subscriber, #56103) [Link]

There are definitely some intranet sites at my place of employment with incorrect certificates, either they are expired, or use a redirect where the redirect has a bad or no certificate, and even one case where the redirect goes to a numerical IP address. This particular site is run by Facilities Management, so I'm not confident they have someone to help them fix their website. But, this article did encourage me to report the problem to them.

Prompt-free security for GNOME

Posted Aug 15, 2013 14:35 UTC (Thu) by zzxtty (subscriber, #45175) [Link]

One improvement I'd like to see is not have these security prompts grab keyboard focus. It can't remember which OS/DE it is but I have had focus grabbed several times whilst I've been typing away, and bang, it's gone. My editor is missing half a line and I have no idea what I've agreed to. Some of us can type, some of us don't spend all our time looking at the monitor/keyboard!

Prompt-free security for GNOME

Posted Aug 15, 2013 16:07 UTC (Thu) by drag (subscriber, #31333) [Link]

That's a windows thing. It's pretty normal for applications to grab focus and it's not rare for a dialog box to basically take over a desktop if it's buggy.

Also I've noticed it happening a lot with Java programs in any platform.

With Gnome 3 you often get either a notification at the bottom of the screen or a dialog blocks access to the application it belongs to, but not other applications. Besides the mentioned java stuff I haven't run into any annoying situations that I can think of.

Prompt-free security for GNOME

Posted Aug 16, 2013 17:36 UTC (Fri) by wtanksleyjr (subscriber, #74601) [Link]

My favorite is when Outlook pops up a windows to prompt for the account password, and somehow manages to foreground it and provide a cursor WITHOUT grabbing focus. So if you type your password in, it'll actually be typed into whatever app you were previously using. Hope you don't use chat apps...

Then there's IE when using smartcards -- it often _backgrounds_ the certificate prompt, leaving you with no clue that the website is requesting input; the prompt window doesn't even show in the startbar (it does show in the alt-tab list).

Of course, you and the article are right; but Microsoft is at the forefront of usability research again, showing us all how it's not to be done.

Prompt-free security for GNOME

Posted Aug 15, 2013 20:57 UTC (Thu) by kh (subscriber, #19413) [Link]

I like the Exif tag example, and I think this is great work in general.

I have had to help people walk through accepting self-signed certificates over the phone before - they were logging into the free WiFi - I think in almost every case at public libraries, but I think in some other business locations as well.

I wonder if another option might be to have a default that simply drops and denies all security issues, unless a person starts a security minder app (found in System Settings?) that would allow the human to see the warnings and answer the questions.

Stupid ideas never die do they

Posted Aug 16, 2013 20:10 UTC (Fri) by jmorris42 (subscriber, #2203) [Link]

If I ever get an application that refuses to allow me to connect to a self signed cert I can promise that app will be promptly removed, rolled back to a working version or patched. Firefox included.

Silently drop the connection indeed!

How many articles have we read, including right here, that the whole cert authority trust model is broken anyway. So we have to pay anyway, even for development servers? Can't believe a room full of developers let that slide, but it is GNOMEs... :)

Yes, security theater should be minimized, but like everything else it should be simplified as much as possible but no further.

Stupid ideas never die do they

Posted Aug 22, 2013 12:20 UTC (Thu) by epa (subscriber, #39769) [Link]

Indeed, surely the whole point is to leave policy decisions to the user but provide an easy way to let the user specify his intent. The suggested change removes an annoying prompt, but it also removes any way for the user to specify the policy of whether to trust the site or not, so it's throwing the baby out with the bathwater.

(FWIW, nowadays if I get the Firefox certificate prompt, I usually just edit the address bar to change https: to http:. That works most of the time and, of course, the browser which complains so loudly about a self-signed certificate is quite happy to use an entirely unencrypted connection with no complaints whatsoever...)

Stupid ideas never die do they

Posted Aug 30, 2013 18:10 UTC (Fri) by wookey (subscriber, #5501) [Link]

Right. I see these prompts quite often these days - usually because numerous debian/free software sites use cacert-based certs and the base certs are not in the 'official' browser lists. The 'yes, yes, I know we're bloody hippies' prompt-dance-set is quite annoying but simply not being allowed access would be a big pile more annoying. Or do I misunderstand the effect of the proposed change?

And is there some prospect that the idiocy that makes many fine sites (such as Debconf's) pop up lots of scary warnings will go away one day?

Stupid ideas never die do they

Posted Aug 30, 2013 18:28 UTC (Fri) by raven667 (subscriber, #5198) [Link]

If I understand the proposal it was to make an easier certificate management tool so that instead of having a dialog with your application when it sees a cert you haven't approved that it instead references you to the management tool where you can easily download, inspect and approve the cert. The cert management tool should also make it easy and straightforward for an administrator to pre-load trusted certs, the end result being that you don't have avoidable cert issues in your applications.

That subtly changes the interaction from one where your application randomly pops up scary dialogs where the only sane response is to click "yes, do the thing I already told you to do, and stop bothering me, darnit!" to one where the user/admin is taking a positive action "please add this cert/authority, I trust it" and taking some ownership of certificate trust.

The hope is that this change and features added to the cert management tool can make a lot of scary warnings go away.

Stupid ideas never die do they

Posted Sep 4, 2013 10:44 UTC (Wed) by njwhite (subscriber, #51848) [Link]

The problem is that the vast majority of users don't know what MITM is, so will just click "override and let me do what I asked you" if prompted, obviating SSL completely.

I presume rather than silently drop the connection it would drop it with an error page saying something like "Security error" with technical details further down. Anyone who knows what MITM is should then be competent to use a companion certificate manager to import self-signed certificates, corporate ca certificates, etc. Anyone else has no business connecting to the site in question.

Prompt-free security for GNOME

Posted Aug 16, 2013 20:56 UTC (Fri) by james (subscriber, #1325) [Link]

I don't understand the given example of "a new update is available that fixes your problem, please run the following command". It's effectively saying "can I over-ride your update policy": if the user wanted the update, either he or she would have it by now, or he or she is waiting for a suitable time (or suitable bandwidth cost).

(I would accept that "a new update is available that fixes your problem, please click here to upgrade" would be friendly to more users, but I don't think that was the point he was trying to make.)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds